Cloud Threats and Attack Surface

Before you get into the nitty gritty engineering, tools and techniques, take a step back and consider where you can learn about the attack surface. I’ve put together a very high level view of to help you get started. Other posts and pages in this website will get into the details of these subjects.

Actors

  • General Internet Users
  • Employees
  • Third Party Integrator
  • Third Party Software Vendors
  • SaaS Vendors
  • Open source contributors

broader attack surface

Before planning the vectors of attack and the threats on the specific platform. Think about the broader vectors which introduce cloud and SaaS offering altogether.

If your security controls are going to be effective, you need to first have coverage across the threat landscape

For example, think about how your Cloud and SaaS attack surface increases

  • Cloud and SaaS being purchased/deployed as shadow IT on corporate cards with corp email accounts
  • Cloud and SaaS being purchased/deployed as shadow IT on personal cards with corp email accounts
  • Cloud and SaaS being purchased/deployed as shadow IT on personal cards with personal email accounts
  • Cloud and SaaS being purchased/deployed through corporate sourcing with corp email accounts
  • Accounts propagation of approved Cloud and SaaS
  • Network propagation to/from and between approved corporate Cloud and SaaS environments
  • Third Party Integration with other business partner cloud environments

Think about the vectors to access or abuse the platforms above

  • From internet on corporate desktops
  • From internet on personal desktops
  • From corporate intranet on corporate servers
  • From intranet on personal servers
  • From open-source code in repositories and registries
  • From vendor code provided officially to the company

Consider how you can build a program to prevent and discover the broader attack surface …

  • PREVENT
    • Corporate card purchases
    • Cross Account Roles
    • Proxy Whitelist and Blacklists
  • DETECT
    • Corporate card purchases
    • Email DLP alerts from “Welcome” emails
    • CASB desktop and networks service usage logs
    • Proxy Traffic logs
    • Netflow traffic logs
    • Cloud provider partnership to notify you on all corporate email account usages
    • Cross Account Roles

MITRE Cloud platform Matrix

You’ll also need a narrowly scope threat model to the specific platform in scope. There is no need to re-invent the wheel because MITRE already has a very good template for this.

Below are the tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: AWS, GCP, Azure, Azure AD, Office 365, SaaS

https://attack.mitre.org/matrices/enterprise/cloud/